Can I force the use of my dependencies' Cargo.lock when resolving package versions?

Question

The Cargo FAQ states that Cargo.lock is not used for libraries, instead using dependency version ranges found in Cargo.toml, to reduce lib duplication

Answer 1

No, you cannot use a library's Cargo.lock.

as it uses some structures from bson to interact with mongodb.

This is the root problem. Currently, it's unknown to the dependency resolver that one crate has exposed another crate's types in a public interface. That will be addressed when RFC 1977 is implemented.

As described in Consolidating cargo dependencies, you can nudge the version of the dependency to be consolidated:

cargo update -p bson:0.11.1 --precise 0.10.0

See also:

• Consolidating cargo dependencies
• Set specific version of the dependency of a project's dependency in Cargo.toml or Cargo.lock

---

That being said, because of semver, your code works just fine:

[dependencies]
wither = "0.5.1"
mongodb = "0.3.7"

$ cargo tree --invert -p bson
bson v0.10.0
├── mongodb v0.3.7
│   ├── example v0.1.0 (file:///private/tmp/example)
│   └── wither v0.5.1
│       └── example v0.1.0 (file:///private/tmp/example) (*)

Seemingly unavoidably, bson 0.10.0 is used for mongodb, and bson 0.11.1 is used for wither.

This is not the case, as you can tell by (a) the example above and (b) your own statements about the acceptable version ranges.